AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-13 · Documentation low

File: IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.md

Summary

Updated terminology from 'IAM federated user sessions' to 'AWS STS federated user principals' and related phrasing changes to align with STS service naming

Security assessment

Changes focus on terminology consistency with AWS Security Token Service (STS) naming conventions rather than addressing security vulnerabilities. No evidence of patching vulnerabilities or changing security behavior - only clarifies existing policy evaluation logic documentation.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.md b/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.md
index b3e4e9831..d33f0bf1e 100644
--- a//IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.md
+++ b//IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.md
@@ -30 +30 @@ For most resources, you only need an explicit `Allow` for the principal in eithe
-For single account policy evaluation requests, resource-based policy logic differs from other policy types if the specified principal is an IAM user, an IAM role, or a session principal. Session principals include [IAM role sessions](./reference_policies_elements_principal.html#principal-role-session) or an [IAM federated user session](./reference_policies_elements_principal.html#sts-session-principals). If a resource-based policy grants permission directly to the IAM user or the session principal that is making the request, then an implicit deny in an identity-based policy, a permissions boundary, or a session policy does not impact the final decision.
+For single account policy evaluation requests, resource-based policy logic differs from other policy types if the specified principal is an IAM user, an IAM role, or a session principal. Session principals include [IAM role sessions](./reference_policies_elements_principal.html#principal-role-session) or an [AWS STS federated user principals](./reference_policies_elements_principal.html#sts-session-principals). If a resource-based policy grants permission directly to the IAM user or the session principal that is making the request, then an implicit deny in an identity-based policy, a permissions boundary, or a session policy does not impact the final decision.
@@ -52 +52 @@ Permissions boundaries and session policies do not limit permissions granted usi
-    * **IAM federated user sessions** – An IAM federated user session is a session created by calling [GetFederationToken](./id_credentials_temp_request.html#api_getfederationtoken). When a federated user makes a request, the principal making the request is the federated user ARN and not the ARN of the IAM user who federated. Within the same account, resource-based policies that grant permissions to a federated user ARN grant permissions directly to the session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy.
+    * **AWS STS federated user principal** – A federated user session is a session created by calling [GetFederationToken](./id_credentials_temp_request.html#api_getfederationtoken). When a federated user makes a request, the principal making the request is the federated user ARN and not the ARN of the IAM user who federated. Within the same account, resource-based policies that grant permissions to a federated user ARN grant permissions directly to the session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy.
@@ -56 +56 @@ However, if a resource-based policy grants permission to the ARN of the IAM user
-**Example IAM federated user session ARN**
+**Example federated user session ARN**
@@ -64 +64 @@ However, if a resource-based policy grants permission to the ARN of the IAM user
-  * **Session policies** – The enforcement code checks whether the principal is a session principal. Session principals include an IAM role session or an IAM federated user session. If the principal is not a session principal, the enforcement code returns a final decision of **Allow**.
+  * **Session policies** – The enforcement code checks whether the principal is a session principal. Session principals include an IAM role session or an AWS STS federated user session. If the principal is not a session principal, the enforcement code returns a final decision of **Allow**.
@@ -66 +66 @@ However, if a resource-based policy grants permission to the ARN of the IAM user
-For session principals, the enforcement code checks whether a session policy was passed in the request. You can pass a session policy while using the AWS CLI or AWS API to get temporary credentials for a role or an IAM federated user. If you didn't pass a session policy, a default session policy is created and the enforcement code returns a final decision of **Allow**.
+For session principals, the enforcement code checks whether a session policy was passed in the request. You can pass a session policy while using the AWS CLI or AWS API to get temporary credentials for a role or an AWS STS federated user principal. If you didn't pass a session policy, a default session policy is created and the enforcement code returns a final decision of **Allow**.